asked on Sonicwall Pro 4060 xAuth
Good Morning,
I have set up our new Sonicwall Pro 4060 and all is fine except that Global VPN users can't log in if I use xauth. If i set it for "allow unauthenticated users" then users can connect, but I need to have it working with xauth. At this point, I don't see why xauth is not working.
Please help.
Helmut K
I have set up our new Sonicwall Pro 4060 and all is fine except that Global VPN users can't log in if I use xauth. If i set it for "allow unauthenticated users" then users can connect, but I need to have it working with xauth. At this point, I don't see why xauth is not working.
Please help.
Helmut K
RoutersNetworking Hardware-OtherHardware Firewalls
Last Comment
Konsultant
ASKER
Thanks for the info, but this does not resolve my problem.
Here is more information on setup and config:
I am logging in from Windows XP machine with sonicwall client. Also tried the login from a windows 7 system, with the latest Sonicwall Global VPN client. Same results. OK if set it for "allow unauthenticated users", but does not accept user ID/Password when set to use xauth on the Pro 4060.
Here is my config from the 4060:
General tab
Wan Group VPN
IKE using preshared secret
Proposals phase1
DH group = Group2
ENC = 3des
Auth = SHA1
Lifetime = 28800
Proposals phase2
Protocol = ESP
ENC = 3DES
Auth = MD5
Enable perfect forward secrecy = yes
DH group = Group2
lifetime = 28800
Advanced Tab
Management via this sa = https
when set for xauth: User Group for XAUTH = Trusted Users.
I also created a new group called Global VPN Users, added the users/mambers to this group, VPN access to LAN subnets. Wont allow user\password to connect.
When set for "allow Unauthenticated VPN client access" = LAN Subnets, connects properly.
Client Tab
Allow connections to = This Gateway Only
Thanks,
Helmut K
Here is more information on setup and config:
I am logging in from Windows XP machine with sonicwall client. Also tried the login from a windows 7 system, with the latest Sonicwall Global VPN client. Same results. OK if set it for "allow unauthenticated users", but does not accept user ID/Password when set to use xauth on the Pro 4060.
Here is my config from the 4060:
General tab
Wan Group VPN
IKE using preshared secret
Proposals phase1
DH group = Group2
ENC = 3des
Auth = SHA1
Lifetime = 28800
Proposals phase2
Protocol = ESP
ENC = 3DES
Auth = MD5
Enable perfect forward secrecy = yes
DH group = Group2
lifetime = 28800
Advanced Tab
Management via this sa = https
when set for xauth: User Group for XAUTH = Trusted Users.
I also created a new group called Global VPN Users, added the users/mambers to this group, VPN access to LAN subnets. Wont allow user\password to connect.
When set for "allow Unauthenticated VPN client access" = LAN Subnets, connects properly.
Client Tab
Allow connections to = This Gateway Only
Thanks,
Helmut K
Hi Helmut,
Can you provide logs from GVC and from the sonicwall. You should see in the logs the reasons why the user was not authenticated. Also, for your testing it may not work when you are connected as admin from the same source IP address. So make sure that when you are testing you are not logged in as Admin at the same time.
Good luck!
Can you provide logs from GVC and from the sonicwall. You should see in the logs the reasons why the user was not authenticated. Also, for your testing it may not work when you are connected as admin from the same source IP address. So make sure that when you are testing you are not logged in as Admin at the same time.
Good luck!
ASKER
Log from 4060:
1 03/21/2012 10:40:12.656 Info Authenticated Access Configuration mode administration session started 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin at GUI from 192.168.0.213
2 03/21/2012 10:40:12.656 Info Authenticated Access Administrator login allowed 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin, TCP HTTP
3 03/21/2012 10:39:47.768 Info PPP PPP message: LCP Echo Reply sent
4 03/21/2012 10:39:47.768 Info PPP PPP message: LCP Echo Request Received
5 03/21/2012 10:39:47.768 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF9 state=9
6 03/21/2012 10:39:26.608 Alert Intrusion Prevention Probable port scan detected 173.194.33.40, 80, X1 209.53.201.211, 49578, X1 TCP scanned port list, 58864, 31332, 28539, 16340, 53586, 32797, 47627, 42182, 6607, 49578
7 03/21/2012 10:39:11.336 Alert Intrusion Prevention Possible port scan detected 173.194.33.40, 80, X1 209.53.201.211, 45041, X1 TCP scanned port list, 11445, 54875, 45123, 55020, 32341
8 03/21/2012 10:38:47.656 Info PPP PPP message: LCP Echo Reply sent
9 03/21/2012 10:38:47.656 Info PPP PPP message: LCP Echo Request Received
10 03/21/2012 10:38:47.656 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF8 state=9
11 03/21/2012 10:38:41.240 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (HELMUTK) 209.53.201.211 HELMUTK
12 03/21/2012 10:38:41.240 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 HELMUTK, TCP Port: 0
13 03/21/2012 10:38:41.064 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (HELMUTK) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs
14 03/21/2012 10:38:40.816 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (HELMUTK) 209.53.201.211, 500
15 03/21/2012 10:38:38.656 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (HELMUTK) 209.53.201.211 HELMUTK
16 03/21/2012 10:38:38.656 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 HELMUTK, TCP Port: 0
17 03/21/2012 10:38:38.416 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs
18 03/21/2012 10:38:38.144 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500
19 03/21/2012 10:38:25.304 Info VPN IKE Received IKE SA delete request 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN
20 03/21/2012 10:38:25.144 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs
21 03/21/2012 10:38:24.880 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500
22 03/21/2012 10:38:12.784 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (helmutk) 209.53.201.211 helmutk
23 03/21/2012 10:38:12.784 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 helmutk, TCP Port: 0
24 03/21/2012 10:38:12.640 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs
25 03/21/2012 10:38:12.416 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500
26 03/21/2012 10:38:08.064 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (helmutk) 209.53.201.211 helmutk
27 03/21/2012 10:38:08.064 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 helmutk, TCP Port: 0
28 03/21/2012 10:38:08.016 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs
29 03/21/2012 10:38:07.896 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 209.53.201.211, 500
30 03/21/2012 10:37:57.704 Info VPN IKE Received IKE SA delete request 209.53.201.213, 500 209.53.201.211, 500 VPN Policy: WAN GroupVPN
31 03/21/2012 10:37:57.608 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs
32 03/21/2012 10:37:57.608 Info VPN IKE NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device
33 03/21/2012 10:37:57.496 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 209.53.201.211, 500
34 03/21/2012 10:37:47.576 Info PPP PPP message: LCP Echo Reply sent
35 03/21/2012 10:37:47.576 Info PPP PPP message: LCP Echo Request Received
36 03/21/2012 10:37:47.576 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF7 state=9
37 03/21/2012 10:37:44.144 Info Authenticated Access GUI administration session ended 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin
38 03/21/2012 10:37:44.144 Info Authenticated Access Configuration mode administration session ended 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin at GUI from 192.168.0.213
39 03/21/2012 10:37:44.144 Info Authenticated Access Administrator logged out 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 User logged out
40 03/21/2012 10:36:47.464 Info PPP PPP message: LCP Echo Reply sent
41 03/21/2012 10:36:47.464 Info PPP PPP message: LCP Echo Request Received
42 03/21/2012 10:36:47.464 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF6 state=9
43 03/21/2012 10:35:47.352 Info PPP PPP message: LCP Echo Reply sent
44 03/21/2012 10:35:47.352 Info PPP PPP message: LCP Echo Request Received
45 03/21/2012 10:35:47.352 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF5 state=9
46 03/21/2012 10:34:36.592 Info Authenticated Access Configuration mode administration session started 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin at GUI from 192.168.0.213
47 03/21/2012 10:34:36.592 Info Authenticated Access Administrator login allowed 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin, TCP HTTP
48 03/21/2012 10:33:47.176 Info PPP PPP message: LCP Echo Reply sent
49 03/21/2012 10:33:47.176 Info PPP PPP message: LCP Echo Request Received
50 03/21/2012 10:33:47.176 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF3 state=9
Log from laptop:
Shows "user authentication has failed"
It must be something quite simple. such as spelling or caps, etc, but I don't see it, and I have checked the configuration many times. I guess I will have to go over it all again.
Regards,
helmut K.
1 03/21/2012 10:40:12.656 Info Authenticated Access Configuration mode administration session started 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin at GUI from 192.168.0.213
2 03/21/2012 10:40:12.656 Info Authenticated Access Administrator login allowed 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin, TCP HTTP
3 03/21/2012 10:39:47.768 Info PPP PPP message: LCP Echo Reply sent
4 03/21/2012 10:39:47.768 Info PPP PPP message: LCP Echo Request Received
5 03/21/2012 10:39:47.768 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF9 state=9
6 03/21/2012 10:39:26.608 Alert Intrusion Prevention Probable port scan detected 173.194.33.40, 80, X1 209.53.201.211, 49578, X1 TCP scanned port list, 58864, 31332, 28539, 16340, 53586, 32797, 47627, 42182, 6607, 49578
7 03/21/2012 10:39:11.336 Alert Intrusion Prevention Possible port scan detected 173.194.33.40, 80, X1 209.53.201.211, 45041, X1 TCP scanned port list, 11445, 54875, 45123, 55020, 32341
8 03/21/2012 10:38:47.656 Info PPP PPP message: LCP Echo Reply sent
9 03/21/2012 10:38:47.656 Info PPP PPP message: LCP Echo Request Received
10 03/21/2012 10:38:47.656 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF8 state=9
11 03/21/2012 10:38:41.240 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (HELMUTK) 209.53.201.211 HELMUTK
12 03/21/2012 10:38:41.240 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 HELMUTK, TCP Port: 0
13 03/21/2012 10:38:41.064 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (HELMUTK) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs
14 03/21/2012 10:38:40.816 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (HELMUTK) 209.53.201.211, 500
15 03/21/2012 10:38:38.656 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (HELMUTK) 209.53.201.211 HELMUTK
16 03/21/2012 10:38:38.656 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 HELMUTK, TCP Port: 0
17 03/21/2012 10:38:38.416 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs
18 03/21/2012 10:38:38.144 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500
19 03/21/2012 10:38:25.304 Info VPN IKE Received IKE SA delete request 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN
20 03/21/2012 10:38:25.144 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs
21 03/21/2012 10:38:24.880 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500
22 03/21/2012 10:38:12.784 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (helmutk) 209.53.201.211 helmutk
23 03/21/2012 10:38:12.784 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 helmutk, TCP Port: 0
24 03/21/2012 10:38:12.640 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs
25 03/21/2012 10:38:12.416 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500
26 03/21/2012 10:38:08.064 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (helmutk) 209.53.201.211 helmutk
27 03/21/2012 10:38:08.064 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 helmutk, TCP Port: 0
28 03/21/2012 10:38:08.016 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs
29 03/21/2012 10:38:07.896 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 209.53.201.211, 500
30 03/21/2012 10:37:57.704 Info VPN IKE Received IKE SA delete request 209.53.201.213, 500 209.53.201.211, 500 VPN Policy: WAN GroupVPN
31 03/21/2012 10:37:57.608 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs
32 03/21/2012 10:37:57.608 Info VPN IKE NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device
33 03/21/2012 10:37:57.496 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 209.53.201.211, 500
34 03/21/2012 10:37:47.576 Info PPP PPP message: LCP Echo Reply sent
35 03/21/2012 10:37:47.576 Info PPP PPP message: LCP Echo Request Received
36 03/21/2012 10:37:47.576 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF7 state=9
37 03/21/2012 10:37:44.144 Info Authenticated Access GUI administration session ended 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin
38 03/21/2012 10:37:44.144 Info Authenticated Access Configuration mode administration session ended 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin at GUI from 192.168.0.213
39 03/21/2012 10:37:44.144 Info Authenticated Access Administrator logged out 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 User logged out
40 03/21/2012 10:36:47.464 Info PPP PPP message: LCP Echo Reply sent
41 03/21/2012 10:36:47.464 Info PPP PPP message: LCP Echo Request Received
42 03/21/2012 10:36:47.464 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF6 state=9
43 03/21/2012 10:35:47.352 Info PPP PPP message: LCP Echo Reply sent
44 03/21/2012 10:35:47.352 Info PPP PPP message: LCP Echo Request Received
45 03/21/2012 10:35:47.352 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF5 state=9
46 03/21/2012 10:34:36.592 Info Authenticated Access Configuration mode administration session started 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin at GUI from 192.168.0.213
47 03/21/2012 10:34:36.592 Info Authenticated Access Administrator login allowed 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin, TCP HTTP
48 03/21/2012 10:33:47.176 Info PPP PPP message: LCP Echo Reply sent
49 03/21/2012 10:33:47.176 Info PPP PPP message: LCP Echo Request Received
50 03/21/2012 10:33:47.176 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF3 state=9
Log from laptop:
Shows "user authentication has failed"
It must be something quite simple. such as spelling or caps, etc, but I don't see it, and I have checked the configuration many times. I guess I will have to go over it all again.
Regards,
helmut K.
ASKER
Hello All,
I resolved the problem. The user ID is case sensitivr as well as the password.
Problem Fixed.
Thanks to those who tried to help.
Helmut K.
I resolved the problem. The user ID is case sensitivr as well as the password.
Problem Fixed.
Thanks to those who tried to help.
Helmut K.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
http://www.sonicwall.com/downloads/SonicOS_Enhanced_to_Openswan_Using_GroupVPN_with_XAUTH.pdf